relaxed-json BSD-3-Clause 15 versions

relaxed-json

npm Repository Homepage

Relaxed JSON is strict superset JSON, relaxing strictness of valilla JSON

15

Versions

BSD-3-Clause

License

No

Install Scripts

Missing

Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

phadej

Keywords

jsoncommentscommentconfig

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	net-exec-file:components/jquery-2.0.3.js	AI (source-diff): This is the canonical jQuery 2.0.3 library bundled as a demo/documentation asset. The net+exec pattern is inherent to jQuery's design and poses no malware risk in this context.	ai	2026/04/24
source-diff	net-exec-file:components/underscore.js	AI (source-diff): This is the canonical Underscore.js 1.5.2 vendored library. The 'network' signal is a URL in a comment header; the code execution is Underscore's template engine. Not malicious.	ai	2026/04/24
semgrep	semgrep:new-function-constructor	AI (semgrep): new Function() usage is in Underscore.js 1.5.2's template engine — a well-known, documented pattern in that library, not a security concern for this package.	ai	2026/04/24
source-diff	net-exec-file:web/lib/jquery-2.0.3.js	AI (source-diff): This is the canonical jQuery 2.0.3 library bundled in the package's web demo directory, not a runtime dependency. The pattern is benign for this package.	ai	2026/04/24

Versions (showing 15 of 15)

Version	Deps	Published
1.0.3	2 / 7	2019-03-04
1.0.2	2 / 9	2019-03-04
1.0.1	2 / 9	2017-03-08
1.0.0	2 / 9	2015-07-13
0.2.9	2 / 8	2015-02-25
0.2.8	2 / 8	2014-10-26
0.2.7	2 / 7	2014-08-14
0.2.6	0 / 6	2014-06-30
0.2.4	0 / 6	2014-02-11
0.2.3	0 / 6	2014-02-10
0.2.2	0 / 6	2013-11-09
0.2.1	0 / 8	2013-11-09
0.2.0	0 / 8	2013-11-04
0.1.1	0 / 2	2013-11-02
0.1.0	0 / 2	2013-11-02

v1.0.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.9

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.8

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.7

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.6

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.4

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.1

2 findings

HIGH New file with network + code execution: components/underscore.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.0

2 findings

HIGH New file with network + code execution: components/jquery-2.0.3.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.1.1

2 findings

HIGH New file with network + code execution: web/lib/jquery-2.0.3.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.1.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.